CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Posts Tagged ‘Identity Theft’

Supreme Court Declines to Hear Data Breach Standing Case

Posted on: February 23rd, 2018

By: Amy C. Bender

The ongoing issue of when a plaintiff has grounds (“standing”) in data breach cases saw another development this week when the U.S. Supreme Court declined to weigh in on the debate.

CareFirst, a BlueCross BlueShield health insurer, suffered a cyberattack in 2014 that was estimated to have exposed data of 1.1 million customers. Affected customers filed a federal class action lawsuit in the District of Columbia claiming CareFirst failed to adequately safeguard their personal information. CareFirst asked the court to dismiss the case, arguing that, since the customers had not alleged their stolen personal data had actually been misused or explained how it could be used to commit identity theft, the customers had not suffered an injury sufficient to give them standing to sue and the court therefore lacked jurisdiction to hear the case. The court agreed with CareFirst and dismissed the case. Notably, in this particular breach, CareFirst maintained the hackers had not accessed more sensitive information such as the customers’ Social Security or credit card numbers, and the court found the customers had not alleged or shown how the hackers could steal the customers’ identities without that information. In other words, the mere risk to the customers of future harm in the form of increased risk of identity theft was too speculative.

The customers appealed this decision, and the appellate court reversed, finding the district court had read the customers’ complaint too narrowly. The appellate court reasoned that the customers actually had asserted their Social Security and credit card numbers were included in the compromised data and that they had sufficiently alleged a substantial risk of future injury.

In response, CareFirst filed a petition with the Supreme Court asking it to review the appellate decision. This would have been the first pronouncement on this issue from the high court in a data breach class action lawsuit, a move long-awaited by lower courts, lawyers, and their clients in order to gain more clarity on the application of prior decisions like Spokeo in the specific context of data breach litigation. However, the Supreme Court denied the request (without explanation, as is typical).

As we have reported here and here, courts continue to grapple with the contours of standing in data breach cases. We will continue to monitor and report on developments in this still-evolving area of the law.

If you have any questions or would like more information, please contact Amy Bender at [email protected].

 

Enhanced Privacy and Data Security Law on Tap for North Carolina

Posted on: February 8th, 2018

By: Paul H. Derrick

A bi-partisan privacy and data security bill will soon be rolled out in North Carolina, and its impact will be significant. North Carolina Attorney General Josh Stein and State Representative Jason Saine are co-authoring “The Act to Strengthen Identity Theft Protections.”  According to a recent press release and fact sheet, they plan to seek its introduction in the State’s General Assembly during the coming months.

The bill will bring dramatic changes to North Carolina’s existing Identity Theft Protection Act, particularly in two areas: (1) the imposition of an affirmative duty to implement and maintain data security procedures and practices; and (2) a 15-day breach notification window.  Companies that experience a data breach and have failed to maintain reasonable security practices will be deemed to have committed a per se violation of the North Carolina Unfair and Deceptive Trade Practices Act, and each person affected by the breach would constitute a separate and distinct violation of the law.  With provisions for treble damages and attorney’s fees, even for nominal violations, data breach litigation would quickly become much more lucrative for plaintiffs’ attorneys.

The proposed bill also would require companies to notify affected individuals and the Attorney General within 15 days following discovery or notification of a breach.  That is a substantial change from the current law’s requirement that notification be made “without unreasonable delay.”  Businesses will need to have a response plan already in place in the event a breach occurs, rather than waiting until the time arrives to develop a course of action.

Other provisions in the legislation update the definition of security breach to include ransomware attacks, broaden the definition of “personally identifiable information” to include medical information and insurance account numbers, allow consumers to freeze and unfreeze their credit without charge, and provide individuals with greater access to and control over their personal data.

Because it already has strong bi-partisan support, some version of the bill will almost surely be passed into law. North Carolina employers must not wait until that happens to begin preparing for it, however.  Businesses should audit their existing internal privacy and data security programs now and immediately develop meaningful and legally-compliant safeguards in any areas that are lacking.

Please contact Paul Derrick at [email protected] or anyone in FMG’s Data Security, Privacy, & Technology practice group if you would like more information on developing and implementing privacy and data security programs. We also have extensive experience in guiding organizations through data breaches and representing clients in data breach litigation.